Many Great Features Added in OpenRMF Professional v2.11
We just released a major update to OpenRMF Professional with some features users have been asking to have. And some major innovations around automating and managing your ATO and cyber compliance information as well. The full list of updates is here.
CKLB format support
The first major thing is support for the newer CKLB JSON format of checklist from the STIGViewer 3. Not only did they redo the format from XML to JSON, STIGViewer 3 (if you have to use that) saving as CKL also changed the fields they rely on.
So we allow all formats of CKL and CKLB now, whether a single checklist or one that is combined. And you can upload, update, and download both types regardless of the original format!
Elasticsearch Full Text Search of Checklists
One of the big requests from users we have in the Intelligence Community is for full text searching of data. To start, we have a Data Source option now to use Elasticsearch (ELK is in our stack) to full text index checklist vulnerabilities data and checklist metadata.
Checklist metadata is the host, IP, FQDN, type, etc. and other descriptive information on the checklist.
The vulnerabilities data is any data used in the checklist as well as data you enter for details and comments. But also the fix text, discussion, CCI, Control information, etc. It is a great way to quickly search on text within the checklist, not just severity and type.
System Package Preferences
We added preferences you can set for your system package (ATO) data now as well. This sets data limits on what is allowed and not allowed based on needs. Now the System Owners control those specifics.
- allow uncredentialed scans (default false)
- allow editing severity override data on checklist vulnerabilities (default true)
- limit a checklist to be in max 1 Team Subpackage at a time (default false)
- limit a device to be in max 1 Team Subpackage at a time (default false)
Journaling
We added a new journal feature to all system packages (ATO) to track the who, what, when, why, how, and with what on all create, update, delete, and download of data within the package.
Think of this like a “ledger for an accountant”, but for your cyber compliance package. And it starts with “this person created a system package” depending on when you start to use it.
We also added a separate journal at the top level for administrative functions like overall settings, templates, deleting system packages, data sources and more.
White Label and Custom Themes
White labeling and custom themes lets you customize your OpenRMF Professional version to fit your needs.
- your logo
- your title
- your footer
- your support email
- even your version
- add your custom CSS information for a custom theme as well
Other Improvements
We also had our team make some other improvements you can see instantly, such as
- faster data table loads from refactoring all pages
- faster CSS loading
- additional filters throughout for finding the data you need
- system package dashboard links for one-click access to main data
Security of Image Components
Finally, security is always top of mind. ESPECIALLY if you are a company touting help with cyber compliance!!
To that end we also worked on cleaning up base images, moving to newer versions of applications, making sure our architecture mitigated any other issues, and talked to 3rd party groups on vulnerabilities and false positives.
This is the cleanest scanned release we have had. Yet. Our CISO Dave Gould is working with some software to go into images and clean them up more. Even 3rd party ones. More to come on that later.
Cyber Compliance Automation
If you are new to the RMF, FedRAMP, or cyber compliance area check us out. We have live demos, you can fully evaluate our application, and even use our API to tie into your cyber mesh architecture.
You can even make a read-only account on our live site and see what we are up to!
